On Thu, Jan 31, 2013 at 10:02 PM, Wei, Gang <gang....@intel.com> wrote: > Josh Boyer wrote on 2013-02-01: >> On Thu, Jan 31, 2013 at 12:40 AM, Wei, Gang <gang....@intel.com> wrote: >>> Bill Nottingham wrote on 2013-01-29: >>>> Jaroslav Reznik (jrez...@redhat.com) said: >>>>> = Features/OpenAttestation = >>>>> https://fedoraproject.org/wiki/Features/OpenAttestation >>>>> >>>>> Feature owner(s): Gang Wei <gang....@intel.com> >>>>> >>>>> Provide fedora packages for OpenAttestation to support Trusted Compute >>>>> Pools(TCP) feature in OpenStack since Folsom release & in future oVirt >>>>> releases. >>>> >>>> Wow, TCP is a horribly unfortunate acronym collision. >>>> >>>>> == Detailed description == >>>>> This feature would include mostly packaging OpenAttestation project for >>>>> fedora. >>>>> >>>>> * the source package will be named oat >>>>> * the binary packages will include oat-appraiser & oat-client >> >> <snip> >> >>>> How does it intend to attest the OS in a rapidly updating Fedora >>>> environment? Just the kernel + initramfs? An image-based checksum such >>>> as what is used in ChromeOS? >>> >>> By far, just kernel + initramfs. Every time the kernel/initramfs got >>> updated, the Know Good Value in OpenAttestation Server should be >>> updated to take new kernel/initramfs as "trusted" one. >> >> Does this feature require any kernel options set in the Fedora kernel? >> The dependency on Intel TXT machines and tboot would lead me to believe >> that it might require IMA/EVA support. Is that the case? If so, those >> are currently disabled in the Fedora kernel. > > This feature doesn't require any kernel options set directly. But tboot > package will require intel_iommu=on and it will do it by providing grub2 > scripts. > It doesn't require IMA/EVA by far.
Great. Thanks for the quick reply. josh -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
